OpenVPN doesn't work without Any/Any rule


  • Hey,

    I'm currently testing using pfsense as an openvpn server.. it works great (awesome in fact) as long as I have an any/any rule on the openvpn interface.

    For obvious reasons I cannot leave that rule in place.. I need some help to create a rule that will work in it's place.. attached is a screenshot of my rules

    Thanks!!


  • OpenVPN uses per default UDP and not TCP.


  • I changed mine to use TCP.. should I try it with UDP?


  • No luck with UDP either.. is this because I have a multi wan setup?


  • Well, are you trying to connect to the OPT?
    Can you please give the complete information to your setup and what you're trying to do?


  • OpenVPN server is configured to accept connections on TCP port 1194.

    I would like clients to connect (from home, hotels, etc) to openvpn on the opt1 interface which is a public IP.

    It is working wonderfully aside from the fact that I need to have a rule that allows all traffic to the opt1 interface address.. I would love to be able to lock this rule down but whenever I try and restrict the source then the openvpn client will not connect!

    what do other people's openvpn rules look like?


  • If you want to connect to the OPT1 you need to add the line "local IP_of_OPT" to the "custom option" of the OpenVPN server


  • opt1 is a wan interface.. i doubt everyone who runs openvpn has to have an any/any rule on their wan interface???


  • No you dont need/want an any-any rule.
    You only need a single rule, allowing access to the OpenVPN server.
    But you also need this line in the custom config that you can connect to the server.

    I assume, since you could access the server with the any-any rule, that you essentially connected to the primary WAN over the OPT.
    Thats the only way i can think of that it worked.
    Otherwise you should not have been able to connect at all.


  • I dont think i'll have time to try anything today.. but i'll give that a shot over the weekend!

    Thanks!